Automated execution environments (sometimes referred to as “sandboxes”) are often used to facilitate controlled execution and/or observation of suspicious and/or unknown files. For example, an automated execution environment may execute a file sample to observe whether the file sample exhibits any potentially malicious behaviors. By executing and observing the file sample in this way, the automated execution environment may be able to determine that a file is malicious without exposing the underlying computing platform to certain risks associated with the malicious file.
Unfortunately, conventional automated execution environments may have deficiencies and/or vulnerabilities that allow certain malicious files to evade detection during malware analyses. For example, a conventional automated execution environment may include certain hooks (such as user mode hooks and/or kernel mode hooks) inserted in various Application Programming Interface (API) functions. In this example, the hooks may be configured to record and/or log when a file sample initiates certain API calls during a malware analysis. In the event that the hooks' locations are fairly well known and/or the file sample is configured to search for such hooks, the file sample may be able to bypass the hooks without detection by the conventional automated execution environment. As a result, the conventional automated execution environment may be unable to accurately track the file sample's behaviors such that the file sample appears clean even in the event that the file sample contains malware.
The instant disclosure, therefore, identifies and addresses a need for additional and improved systems and methods for identifying detection-evasion behaviors of files undergoing malware analyses.